The existence of a malware business as evidence of the incapacity of the security industry
Myths live their own, special lives. Some of them die without being able to really be born. Some of them eke out a miserable existence somewhere on the outskirts of human consciousness. But some take possession of the minds of the masses to such an extent that they outweigh all sorts of reasonable arguments against myth.
Have you ever heard from your relatives, acquaintances or just oncoming people that firefighters themselves set fire to buildings, which are then fearlessly extinguished? However, every time people who are very far from the sphere of information security find out that I work in this area, the mandatory question that I always hear is something like this: "Is it true that antivirus companies make viruses themselves?"
Why is that? What's the matter? Indeed, neither firefighters nor representatives of other professions are noted in such "wrecking". Only representatives of the antivirus industry. The answer, I believe, is as follows. The antivirus industry in its current state does not want to deal with the business of malicious software in the volume that is needed. Of course, one can recall the recent shutdown of the Rustock botnet control centers by Microsoft, as well as Arbor's efforts in this direction. But do you know the precedents when modern wars were won by successful counterattacks? In the memory of the author, there were no such cases ...
Look, Mr. X has on his working computer a “good” antivirus Y, which was advised by the seller of a large store. He already read about this antivirus in his favorite daily newspaper, and this brand has been repeatedly mentioned in the news forums. The anti-virus subscription is paid, the operating system is legal and is constantly updated. Mr. X is absolutely sure that nothing will happen to his documents and photographs, because they are under the reliable protection of the antivirus Y, as the seller and the newspaper assured him.
But, once, turning on the computer, Mr. X came into complete bewilderment, bordering on shock. All important documents and photos turned out to be encrypted, and a small note appeared on the desktop (grammar and punctuation saved) “All your docks are encrypted. Unscramble them does not work. If you want to get everything back, they’ve passed 1000 WMR to the Rxxxxxxxxxxxxxx wallet and I will send you the air conditioner. ” The anti-virus is lit with a green light and reports that nothing harmful was found on the computer. "How so! That should not have happened! My documents! Photo! Why did the antivirus keep silent ?! He’s good, he shouldn’t allow such a thing !!! ”Mr. X thinks,“ it means that this virus was written by competitors from another anti-virus laboratory in order to sell me my own product, which, of course, this virus already catches. This is logical. ” Yes Mr. X it sounds very logical. But this is not true. Do you know why? Because three errors have crept into your logic, which are not visible to the average layman who you are.
A mistake in the logic of Mr. X number of times. And why are you, in fact, sure that the X antivirus is reliable? As well as all its competitors in the market? How reliable are modern antiviruses? Let us turn to the facts. Fact: “Eurostat: antivirus does not guarantee protection. Eurostat, the official EU statistics collection office, has published some very interesting data. It turns out in 2010 84% of Europeans (participating in the survey) used some kind of software from the field of computer security.
At the same time, 31% of the respondents admitted that they had encountered a fact of infection of the system with a computer virus (or other variants of malicious code). ” True, one can always object that a poll is a subjective thing. Fact: a dynamic test from one of the most respected test labs, AV – Comparativeshref = http: //chart.av-comparatives.org/chart2.php . The best antivirus presented at the time of writing (June 2011) has a protection rating of 99.3%. It may seem to a simple layman that this is a good result. But it is obvious to any specialist in the field of anti-virus security that this is a complete fiasco. Why?
Let's do some simple calculations. Every day in the world, according to various estimates, approximately 30 to 70 thousand unique malicious modules per day are produced. Yes, this is so, according to recent information from the Microsoft security center, the lifetime of the malicious module is about 4 hours, then the cloud components of anti-virus solutions work and this sample, from the point of view of the shadow business, is of no importance. We consider the minimum estimates: 30'000 * 0.7% = 210 viruses that penetrate the protective barriers of antiviruses and cause damage to users of personal computers, per day. Moreover, given the exponential growth in the number of malicious files every year, which will be years, some five years from now, it will not be difficult to calculate for anyone who is familiar with the basics of mathematical analysis.
We have 76,650 harmful viruses per year. According to maximum estimates, the figure doubles to 178,850 threats per year. Thus, even the best representatives of anti-virus software can hardly be considered any reliable in modern realities. For me personally, a test run of virus-ransomware samples that were caught literally a few minutes after their release against anti-virus protection was especially revealing: http://malwareresearchgroup.com/2011/07/26/mrg-flash-test -26072011 /
A mistake in the logic of Mr. X number two. In order to get around any antivirus, you do not need to be a professional in programming and features of the implementation of the operating system. It is quite simple to be a good student and not to sleep at lectures and practical classes. There is nothing prohibitively complicated in this. Only practice and debugger.
A mistake in the logic of Mr. X number three. Spreading malware (also known as computer viruses) is a highly profitable business. And it was built in the same way as any other business in the field of information technology - office, investors, developers, managers, distributors, affiliates, affiliate programs. Only this case is illegal, jurisdictional. What is the point of doing such things of a “white” anti-virus company, risking your reputation if the profitability of anti-virus sales is not less, or even more, than the profitability of the business using malicious software, while everything will not be knocked at the door with a search warrant?
An absurd situation arises from the side of the detached observer. A simple user is confident that viruses are developed by antivirus companies, while continuing to use their products and pay for it, directly or indirectly, giving, in parallel, a “tribute” of money and computing resources to the shadow business on computer viruses, from which antiviruses are unable to protect. Sur, pure sur, right?
The very fact of the existence of a business operating on malicious software in the conditions of the almost total penetration of anti-virus solutions on the market proves their incapacity. However, the marketing departments of antivirus companies continue to sing their products. It would be very strange if they did not, everyone wants to eat something. And, as long as Mr. X continues to buy antiviruses, nothing will change for him. Maybe he even migrates from antivirus Y to a competing product Z, only after a while the story of a computer infection will repeat.
Antiviral agents are already 25 years old, they are morally obsolete. But why should anti-virus companies change anything dramatically if old methods and tools fly like hot cakes from store shelves? New approaches to protection against malicious software are already knocking on the door, showing unattainable results for antiviruses (and so much desired by users).
For example, the MRG Effitas test to prevent 0-day malware infection ( http://malwareresearchgroup.com/malware-tests/flash-test-results/) clearly shows that the only sandbox participating in this test easily bypassed all other remedies. This suggests that the inclusion of a permanent, default sandbox in the Internet Security class solutions can drastically reduce the profit margin for “malware businessmen” to a level where a bank deposit will be more profitable than investing in the development and promotion of computer viruses.
Have you ever heard from your relatives, acquaintances or just oncoming people that firefighters themselves set fire to buildings, which are then fearlessly extinguished? However, every time people who are very far from the sphere of information security find out that I work in this area, the mandatory question that I always hear is something like this: "Is it true that antivirus companies make viruses themselves?"
Why is that? What's the matter? Indeed, neither firefighters nor representatives of other professions are noted in such "wrecking". Only representatives of the antivirus industry. The answer, I believe, is as follows. The antivirus industry in its current state does not want to deal with the business of malicious software in the volume that is needed. Of course, one can recall the recent shutdown of the Rustock botnet control centers by Microsoft, as well as Arbor's efforts in this direction. But do you know the precedents when modern wars were won by successful counterattacks? In the memory of the author, there were no such cases ...
Look, Mr. X has on his working computer a “good” antivirus Y, which was advised by the seller of a large store. He already read about this antivirus in his favorite daily newspaper, and this brand has been repeatedly mentioned in the news forums. The anti-virus subscription is paid, the operating system is legal and is constantly updated. Mr. X is absolutely sure that nothing will happen to his documents and photographs, because they are under the reliable protection of the antivirus Y, as the seller and the newspaper assured him.
But, once, turning on the computer, Mr. X came into complete bewilderment, bordering on shock. All important documents and photos turned out to be encrypted, and a small note appeared on the desktop (grammar and punctuation saved) “All your docks are encrypted. Unscramble them does not work. If you want to get everything back, they’ve passed 1000 WMR to the Rxxxxxxxxxxxxxx wallet and I will send you the air conditioner. ” The anti-virus is lit with a green light and reports that nothing harmful was found on the computer. "How so! That should not have happened! My documents! Photo! Why did the antivirus keep silent ?! He’s good, he shouldn’t allow such a thing !!! ”Mr. X thinks,“ it means that this virus was written by competitors from another anti-virus laboratory in order to sell me my own product, which, of course, this virus already catches. This is logical. ” Yes Mr. X it sounds very logical. But this is not true. Do you know why? Because three errors have crept into your logic, which are not visible to the average layman who you are.
A mistake in the logic of Mr. X number of times. And why are you, in fact, sure that the X antivirus is reliable? As well as all its competitors in the market? How reliable are modern antiviruses? Let us turn to the facts. Fact: “Eurostat: antivirus does not guarantee protection. Eurostat, the official EU statistics collection office, has published some very interesting data. It turns out in 2010 84% of Europeans (participating in the survey) used some kind of software from the field of computer security.
At the same time, 31% of the respondents admitted that they had encountered a fact of infection of the system with a computer virus (or other variants of malicious code). ” True, one can always object that a poll is a subjective thing. Fact: a dynamic test from one of the most respected test labs, AV – Comparativeshref = http: //chart.av-comparatives.org/chart2.php . The best antivirus presented at the time of writing (June 2011) has a protection rating of 99.3%. It may seem to a simple layman that this is a good result. But it is obvious to any specialist in the field of anti-virus security that this is a complete fiasco. Why?
Let's do some simple calculations. Every day in the world, according to various estimates, approximately 30 to 70 thousand unique malicious modules per day are produced. Yes, this is so, according to recent information from the Microsoft security center, the lifetime of the malicious module is about 4 hours, then the cloud components of anti-virus solutions work and this sample, from the point of view of the shadow business, is of no importance. We consider the minimum estimates: 30'000 * 0.7% = 210 viruses that penetrate the protective barriers of antiviruses and cause damage to users of personal computers, per day. Moreover, given the exponential growth in the number of malicious files every year, which will be years, some five years from now, it will not be difficult to calculate for anyone who is familiar with the basics of mathematical analysis.
We have 76,650 harmful viruses per year. According to maximum estimates, the figure doubles to 178,850 threats per year. Thus, even the best representatives of anti-virus software can hardly be considered any reliable in modern realities. For me personally, a test run of virus-ransomware samples that were caught literally a few minutes after their release against anti-virus protection was especially revealing: http://malwareresearchgroup.com/2011/07/26/mrg-flash-test -26072011 /
A mistake in the logic of Mr. X number two. In order to get around any antivirus, you do not need to be a professional in programming and features of the implementation of the operating system. It is quite simple to be a good student and not to sleep at lectures and practical classes. There is nothing prohibitively complicated in this. Only practice and debugger.
A mistake in the logic of Mr. X number three. Spreading malware (also known as computer viruses) is a highly profitable business. And it was built in the same way as any other business in the field of information technology - office, investors, developers, managers, distributors, affiliates, affiliate programs. Only this case is illegal, jurisdictional. What is the point of doing such things of a “white” anti-virus company, risking your reputation if the profitability of anti-virus sales is not less, or even more, than the profitability of the business using malicious software, while everything will not be knocked at the door with a search warrant?
An absurd situation arises from the side of the detached observer. A simple user is confident that viruses are developed by antivirus companies, while continuing to use their products and pay for it, directly or indirectly, giving, in parallel, a “tribute” of money and computing resources to the shadow business on computer viruses, from which antiviruses are unable to protect. Sur, pure sur, right?
The very fact of the existence of a business operating on malicious software in the conditions of the almost total penetration of anti-virus solutions on the market proves their incapacity. However, the marketing departments of antivirus companies continue to sing their products. It would be very strange if they did not, everyone wants to eat something. And, as long as Mr. X continues to buy antiviruses, nothing will change for him. Maybe he even migrates from antivirus Y to a competing product Z, only after a while the story of a computer infection will repeat.
Antiviral agents are already 25 years old, they are morally obsolete. But why should anti-virus companies change anything dramatically if old methods and tools fly like hot cakes from store shelves? New approaches to protection against malicious software are already knocking on the door, showing unattainable results for antiviruses (and so much desired by users).
For example, the MRG Effitas test to prevent 0-day malware infection ( http://malwareresearchgroup.com/malware-tests/flash-test-results/) clearly shows that the only sandbox participating in this test easily bypassed all other remedies. This suggests that the inclusion of a permanent, default sandbox in the Internet Security class solutions can drastically reduce the profit margin for “malware businessmen” to a level where a bank deposit will be more profitable than investing in the development and promotion of computer viruses.